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Claims 

This listing of claims will replace all prior version and listings of claims in the 
application: 

1 . (Currently amended) A method of analyzing network communication traffic ona 
data communication network for determining wheth er the traffic is legitimate or 
potential susEici^iftttttSi^ activity, comprising the steps of: 

monitoring packets exchanged betw een two hosts on the data 
rnmTTinnication network: 

identifying a flow corresponding to a predetermined plurality of 
packets exchanged between the two hosts that rela te to a single service and 
is characterized bv a predetermined characteristic a flsigninfi pack e ts t fr fl 
floWj 

collecting flow data from pockot head e rs; 

assigning analyzing collect e d flow data to assign a concern index 
value to ?mi identified &e flow based upon a p r obability predetermined 
characteristic of that the flow was not normal for data communications ; 

maintaining an accumulated concern index comprising concern 
index values for one or more identified flows associated with a host; 
and 

issuing an alarm signal ©»ee in the event that the accumulated 
concern index haa oxcoodcd for a host exceeds an alarm threshold value. 

2. (Currently amended) The method of claim 1 > wherein the predetermined 
characteristic of a flow is selected from the group comprising: the e lapse of a 
predetermined period of time wherein n o packets are exchanged between two 
hosts, the occurrence of a FIN flag, prede termined characteristics of traffic on a 
piven port, and the occurrence of a RESET packet tho flow concis t o of the 
p aokots Q KQhongod betwocm two host s that ore associated with a singl o se r vice . 
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(Currently amended) The method of claim 1 , further comprising the step of 
finmmmiicatin p a message to a firewall to drop packets goinft to or from the 
particular host in response to wherein the alarm signal gpdate fi - a firewall for 
filtering packets transmitted by a hoot . 

(Currently amended) The method of claim 1, wherein the alarm signal generates a 
notification to a the network administrator. 

(Currently amended) The method of claim 1, wherein each concern index value 
associated with a predetermined event respective potential intrusion aotivity is a 
predetermined fixed value. 

(Currently amended) A method of analyzing network communication traffic ona 
data communication network for rifjermining wheth er the traffic is legitimate or 
potential suspicious intrusion activity, comprising the steps of: 

monitoring packets exchanged between two hosts that are 
associated with a single service on the data comm unications network; 

identif ying a flow corresponding to a pr edetermined plurality of 
assigning packets to a flow, wherein a flow consists of the p ackets 
exchanged between fee two host s that ore associated with a single service ; 

collecting flow data from packet headers of the packets in the 
identified flow : 

based on the collected flow data, assigning analyginfl - coll e ct ed 
flow data to assign a concern index value tothe flow based on a 
predetermined characteristic of the flow wherein each concern index value 
a ssociated with a r e spective potential intrusion activity - is a pr e d e t e r 
fixod valu e; 
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maintaining an accumulated concern index from flows that are 
associated with a particular host; a»d 

issuing an alarm signal in the event that eaee the accumulated 
concern index for the particular host exceeds has oxcoodcd an alarm 

threshold value; and 

in res ponse to the alarm signal- sending a message to a utiliz ation 

component. 

7. (New) (NOTE: NO CLAIM PRESENTED FOR CLAIM 7 IN ORIGINAL 
APPLICATION DUE TO TYPOGRAPHICAL ERROR) The method of claim 6, 
wherein the utilization component is selected from the grout) comprising: network 
se curity device, email. SNMP trap messa ge, beeper, cellphone, firewall, network 
monitor, user interface display to an operator. 

8. (Currently amended) A method of analyzing network communication traffic ona 
Hata communication network for determining whether the traffic is legitimate or 
potential suspicious i ntrusion activity, comprising the steps of: 

monitoring the exchange of packets b etween two hosts each having 
a particular Internet Protocol (IP) address; 

identifying a flow corresponding to a predetermin ed plurality of 
packets exchanged between a particu lar port of one of the hosts that 
remains constant during the plurality of pac kets assigning packets to* 
flow, whoroin a flow oonsisto of the paolcoto oxohangod botween tw e 
fetornot Protocol addresses with at least one port r e mains oonstan t; 

collecting flow data from packet headers the rackets in the 
identified flow : 

based on the collected flow data, assigning analyzing collootod 
fl ow data to assign a concern index value to the flow; 
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maintaining a host data structure containing a» accumulated 
concern index values from a plurality of flows that.are associated with the 

particular host; and 

issuing an alarm in me event that ease the accumulated concern 
index values for the particular host has exceeded an alarm threshold value. 

9. (Currently amended) The method of claim 8, wherein each concern index value 
associated with a respective potential suspicious HtteasieB activity is a 
predetermined fixed value. 

10. (Currently amended) A system for analyzing network communication traffic and 
determining potential suspicious activity, comprising: 

u c om pu ter :y3 t o m o p n rnHr tn Hnrrity packets baa flews rvollect flow data from 
packet header information, analyze collootod flow data to assign a oonoorn inde* 
value wherein oaoh oonoom index valu e associated with a rospootivo potontial 
iuuuoion qetivity is. a predetermined fiv nri vn l uo, and gen e rato an alarm signal; 
a computer system operative to: 

a) monitor the communication of packets on a data co mmunicati on 
network; 

b) classify the monitored packets into flo ws, wherein a flow 
corresponds to a predetermined plurality of pack ets exchanged 
between two hosts that are associated with a single service on th e 
network; 

c) analyze the flows in order to assign a concern index value to a flow 
that mav signify potential suspicio us activity, wherein each 
concern index value associated with a respectiv e potential 
suspicious activity is of a predeterm ined fixed value; 

A ) generate an alarm signal in response to cumu lated concern index 
values: and 
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a communication system coupled to the computer system operative to 
receive pack^ communicated between hosts on the network epcrablo to serai 
paokots from ono host to another hos t. 

1 1 (Currently amended) A system for analyzing network communication traffic and 
determining potential susp icious activity, comprising: 

a processor operable to classify paokots into flowo, colloot flow data from 
•p aokot hoader information, analyao oolloctod flow data to assign a concern 
indox value wherein each concern index valu o ass o ciated with a respectiv e 
jftjiouUol intrusion activity ts n prodoterminod fixed value, and generate an 
alarm signal? 
* pmrp^rtf operative to: 

al monitor the communication of pack ets on a data 

communication network; 
h) classify the monitored packets into flows, wherein a flow 
corresponds to a predetermined plura lity of packets 
exchanged between two hosts that are asso ciated with a 
single service on the network: 
c) ma ^^iTi a flo w data structure for stor ing data 

corresponding to a plurality of flows: 
d^ analyze the flows in the flow d ata structure in order to 
assign a concern index value to a flow t hat mav signify 
potential suspicious activity* wherein each co ncern index 
value associated with a respec tive potential suspicious 
activity is of a predeterm ined fixed value: 
e) cumulate assigned concern index values of one or more 
flows associated with a particular host; 
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f ) maintain a host data structure for storing data associating^ 
emulated cop**™ index vaW w^th each one of a plurality 
of hosts: and 

g ) penerate an al arm si gnal in r esponse to cumulated concern 
index values in the host data structure; 

a memory coupled to the processor and operative operable to store 
the flow data gtnirture and t h * Wt data structure th o flow data ; 
a- databaoo coupled to processor opeiublo to store log fi l e*? ; and 

a network interface coupled to the processor operative to receive 
packets on the dara commu n ication network oporublo to monitor n e two t k 

12. (Currently amended) A method of analyzing network communication traffic on_a 
data communication network for potential suspicious «rt«*ieft activity, 

comprising the steps of: 

monitorin p packets exchanged hetween two hosts on the data 

communication network: 

analyzing paoket hoador infoiaiation; 

jHantifvin g packets provided bv o ne of the two hosts that have 
determining a transport level protocol specifying a Eackgl format Aat 
ity rW 0 " Hnta ^F ?" 6111 of a data a tea; 

in res ponse to determination that the tran sport level protocol is a 
User Datagram Protocol (T IDPi packet and the data segment associated 
with the IJDP packet contains two hyrg* or less of data, storing a concern 
index value of a predetermined am ount in a memory in association with 
information identifying the ho *t that issued the IJDP packet; and 

issuing an alarm when the cumulated c oncern index value 
associated with the host exceeds a predete rmined threshold level saaspert 
lovol protoool io idontifiod a* Uaor Datagram Protocol (UDm and tho da ta 
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segmeat associated with User Datagram Protoool paolcot contains Wo o f 
■ less bytes of data . 

13. (New) The method of claim 6, wherein a flow is characterized by a predetermined 
characteristic selected from the group comprising: the elapse of predetermined 
period of time where no packets are exchanged between two hosts, the occurrence 
of a FIN flag, predetermined characteristics of traffic on a given port, and the 
occurrence of a RESET packet. 

14. (New) The method of claim 8, wherein a flow is characterized by a 
predetermined characteristic selected from the group comprising: the elapse of a 
predetermined period of time wherein no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a 
given port, and the occurrence of a RESET packet. 

15. (New) The system of claim 10, wherein a flow is characterized by a 
predetermined characteristic selected from the group comprising: the elapse of a 
predetermined period of time wherein no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a 
given port, and the occurrence of a RESET packet 

1 6. (New) The system of claim 1 1 , wherein a flow is characterized by a 
predetermined characteristic selected from the group comprising: the elapse of a 
predetermined period of time wherein no packets are exchanged between two 
hosts, the occurrence of a FIN flag, predetermined characteristics of traffic on a 
given port, and the occurrence of a RESET packet. 

1 1. (New) The method of claim 1 , wherein the single service comprises a port 
number remaining constant for a plurality of packets. 
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1 8. (New) The method of claim 1 , wherein the suspicious activity is from an inside 
address or from an outside address. 

1 9. (New) The method of claim 1 , wherein the concern index for a suspicious 
activity is derived by reference to a table of predetermined suspicious activities 
each having a predetermined concern index value. 

20. (New) The method of claim 1, wherein the host for which the concern index is 
accumulated is an inside host. 

21. (New) The method of claim 1 } wherein the host for which the concern index is 
accumulated is an outside host. 

22. (New) The method of claim 1 , wherein the steps are carried out in a monitoring 
appliance. 

23. (New) The method of claim 22, wherein the monitoring appliance is installed 
behind a firewall. 

24. (New) The method of claim 22, wherein the monitoring appliance is connected 
before a firewall. 

25 . (New) The method of claim 22, wherein the monitoring appliance is connected in 
a DMZ. 

26. (New) The method of claim 22, wherein the monitoring appliance is configured 
to operate as a pass-by filter. 
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27. (New) The method of claim 22, wherein the monitoring appliance is coupled to a 
network device. 

28. (New) The method of claim 27, wherein the network device is selected from 
group comprising: router, switch, hub, tap. 

29. (New) The method of claim 27, wherein the network device is a network security 
device. t 

30. (New) The method of claim 1, wherein the monitoring of packets comprises 
monitoring on packet header information only. 

31 . (New) The method of claim 1, wherein the monitoring of packets is carried out in 
a device operating in a promiscuous mode. 

32. (New) The method of claim 1, wherein the alarm signal is provided to a 
utilization component. 

33 . (New) The method of claim 32, wherein the utilization component is selected 
from the group comprising: network security device, email, SNMP trap message, 
beeper, cellphone, firewall, network monitor, user interface display to an operator. 
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Record of Interview 

The applicants would like to thank Examiner Ronald Baum for his helpful 
comments and suggestions during the telephone interview with the undersigned and 
associate attorney Wendell Peete on December 14, 2005. During the telephone interview 
certain aspects of novelty over the cited art were discussed. 

Pursuant to 37 C.F.R. § 1.133(b), the following description is submitted as a 
complete written statement of the reasons presented at the interview as warranting 
favorable action. The following statement is intended to comply with the requirements of 
MPEP § 713.04 and expressly sets forth: (A) a brief description of the nature any exhibit 
shown or any demonstration conducted; (B) identification of the claims discussed; (C) 
identification of specific prior art discussed; (D) identification of the principal proposed 
amendments of a substantive nature discussed; (£) the general thrust of the principal 
arguments; and (F) a general indication of any other pertinent matters; and (G) the 
general results or outcome of the interview, if appropriate. 

(A) No exhibits were shown or discussed. 

(B) The independent claims were discussed, in particular certain aspects relating 
to flow-based detection of network intrusions. 

(C) The Shipley (6,1 19,236) patent was discussed. 

(D) No proposed amendments were officially presented or discussed, but the 
claim amendments presented in this paper are consistent with the discussion. 

(E) The general thrust of the discussion was as set forth below in the next 

paragraphs. 

(F) No other matters were discussed. 

(G) No agreement was reached during the interview regarding the claims. 

The general thrust of the discussion was that the Shipley patent did not disclose, 
teach, or suggest the claimed aspects of a flow-based detection of suspicious network 
activity such as intrusions. As discussed, and among other aspects, the claimed 
inventions) provide for detection of suspicious network activity based on the monitoring 
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of packets between two hosts on a network that are associated with a single service, and 
characterizing a group of such packets as a "flow." 

The examiner suggested that the claims be amended to more particularly specify 
what a flow is and how the flows are used to determine the recited "concern index." No 
agreement on particular claim language was reached, pending submission of a formal 
amendment. 

The amendments herein and comments that follow are intended to be consistent 
with the remarks made during the interview. 

Further, for the record, on or about February 1 , 2006, the undersigned had a 
subsequent telephone conference with the examiner to discuss the submission of a 
replacement (or supplemental, or substitute) amendment so as to clarify certain language 
relating to identifying a flow based on "predetermined characteristics" as opposed to 
"delimited by a predetermined event," the latter of which is believed to be unduly narrow. 
The examiner suggested filing a substitute or supplemental response. This paper is in 
response to that discussion. 

In the event that the foregoing record is not considered complete and accurate, the 
Examiner is respectfully requested to bring any incompleteness or inaccuracy to the 
attention of the undersigned. 
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